|
Log-Analyse und Auswertung: PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen...Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
26.02.2010, 13:20 | #1 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hallo zusammen, die Apokalypse meines PCs begann heute morgen, nach dem Besuch einer gegoogelten Website -> inhaltloses Pop-Up öffnete sich! Seitdem: Bei Neustart automatische Deaktivierung der Windows-Firewall, Firefox läuft nicht mehr (schreibe vom Internet Explorer), AntiVir meldete u.a. tr/dropper.gen. Hier der aktuelle Hijack-Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:23:39, on 26.02.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Programme\Seagate\SeagateManager\Sync\MaxSync.exe C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE C:\WINDOWS\SPMSMON.EXE C:\Programme\Java\jre6\bin\jusched.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Cherry\KeyMan\KeyMan.exe C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\WINDOWS\System32\svchost.exe C:\Programme\FreePDF_XP\fpassist.exe C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Programme\SlySoft\CloneCD\CloneCDTray.exe C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE C:\Programme\Cherry\CDI\cdi.exe C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Programme\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\agfguard.exe C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe C:\Programme\iPod\bin\iPodService.exe c:\programme\avira\antivir desktop\avcenter.exe C:\Programme\Avira\AntiVir Desktop\avscan.exe C:\Programme\GIMP-2.0\bin\gimp-2.6.exe C:\Programme\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programme\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini" O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [MMTray] "C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: ISDN Guard.lnk = C:\WINDOWS\agfguard.exe O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Cherry Device Interface - Cherry, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\MAGIX\Common\Database\bin\fbserver.exe (file missing) O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Hardware management services (svchost) - Ohofdkiyxvusgeipnutq Wztwfpwuytdg Pqtvsmuxzruvzxrywblnqsvu - C:\WINDOWS\system\svchost.exe -- End of file - 10755 bytes Ich bin User und habe keine große Ahnung von Betriebssystemen, etc.. Mich würde hauptsächlich interessieren: Welche Informationen gibt die Hijack Logfile? Muss ich das System neu aufsetzen? (Kann ich nicht selber, würde ein Freund für mich machen - aber erst in einer Woche.) Kann ich bis dahin "halbwegs sicher" arbeiten - Online-Banking, etc? Vielen Dank für Eure Antworten! Viele Grüße Sascha |
26.02.2010, 19:29 | #2 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hi,
__________________lass die Finger von Onlinebanking... Bitte folgende Files prüfen: Dateien Online überprüfen lassen:
Code:
ATTFilter C:\WINDOWS\system\svchost.exe
Malwarebytes Antimalware (MAM) Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen: http://filepony.de/download-chameleon/ Fullscan und alles bereinigen lassen! Log posten. Mal sehen was MAM dazu sagt... Gmer: http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html Den Downloadlink findest Du links oben (http://www.gmer.net/#files), dort dann auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken). Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein. chris Für mich: C:\WINDOWS\system\svchost.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, O23 - Service: Hardware management services (svchost) - Ohofdkiyxvusgeipnutq Wztwfpwuytdg Pqtvsmuxzruvzxrywblnqsvu - C:\WINDOWS\system\svchost.exe
__________________ |
27.02.2010, 09:31 | #3 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hier das Ergebnis nach der Anleitung oben:
__________________Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.02.27 - AhnLab-V3 5.0.0.2 2010.02.26 - AntiVir 8.2.1.176 2010.02.26 - Antiy-AVL 2.0.3.7 2010.02.26 - Authentium 5.2.0.5 2010.02.27 - Avast 4.8.1351.0 2010.02.27 - Avast5 5.0.332.0 2010.02.26 - AVG 9.0.0.730 2010.02.26 - BitDefender 7.2 2010.02.27 - CAT-QuickHeal 10.00 2010.02.27 Win32.PE.Packed.Win32.Krap.af.4 ClamAV 0.96.0.0-git 2010.02.27 - Comodo 4080 2010.02.27 Heur.Suspicious DrWeb 5.0.1.12222 2010.02.27 - eSafe 7.0.17.0 2010.02.25 - eTrust-Vet 35.2.7331 2010.02.26 - F-Prot 4.5.1.85 2010.02.26 - F-Secure 9.0.15370.0 2010.02.27 - Fortinet 4.0.14.0 2010.02.26 - GData 19 2010.02.27 - Ikarus T3.1.1.80.0 2010.02.27 - Jiangmin 13.0.900 2010.02.27 - K7AntiVirus 7.10.984 2010.02.26 - Kaspersky 7.0.0.125 2010.02.27 Trojan.Win32.Swisyn.ywu McAfee 5904 2010.02.26 - McAfee+Artemis 5904 2010.02.26 - McAfee-GW-Edition 6.8.5 2010.02.27 - Microsoft 1.5502 2010.02.27 - NOD32 4899 2010.02.26 - Norman 6.04.08 2010.02.27 - nProtect 2009.1.8.0 2010.02.27 - Panda 10.0.2.2 2010.02.26 Suspicious file PCTools 7.0.3.5 2010.02.27 - Prevx 3.0 2010.02.27 - Rising 22.36.05.04 2010.02.27 - Sophos 4.50.0 2010.02.27 - Sunbelt 5702 2010.02.27 Trojan.Win32.Generic!SB.0 Symantec 20091.2.0.41 2010.02.27 Suspicious.Insight TheHacker 6.5.1.6.213 2010.02.27 - TrendMicro 9.120.0.1004 2010.02.27 - VBA32 3.12.12.2 2010.02.26 - ViRobot 2010.2.27.2205 2010.02.27 - VirusBuster 5.0.27.0 2010.02.26 - weitere Informationen File size: 40960 bytes MD5...: 448b2533193e7d2581c84fd2f235b479 SHA1..: a87b6ae2f8620d82dfd463047c355c9efd8df020 SHA256: 2829bae4c51390be4d494ca53f3a1a8db3602a0eb1b532c90d61e97c65e4dbc7 ssdeep: 768:RiA+kO3n+dH1UVu9GffaNCzWWJ/XpkdImrbVzwSfVUdgblXA:R+QHS+bNvWJ /ZwImrb3NblXA PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000 timedatestamp.....: 0x3329b400 (Fri Mar 14 20:24:32 1997) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x34ba 0x3600 5.42 b3e22ffd1aa472bc44706cec1cf4000d .rdata 0x5000 0x5f1 0x600 4.49 f8467c3602b24b18428fbfd2dbecfed2 .data 0x6000 0x24000 0x5c00 6.31 63076797eb3ef543c44bb83dc716dcda .rsrc 0x2a000 0x3fc 0x400 3.50 b941e81ad16e764cc1c743d241071a2f ( 2 imports ) > KERNEL32.dll: GetCommandLineA, CreateMutexW, CancelWaitableTimer, VirtualAlloc, GetCalendarInfoA, GetFileAttributesExW, TerminateThread, GetNumberFormatA, GetAtomNameW, DeleteFileA, ConvertDefaultLocale, CompareFileTime, CreateThread, LoadLibraryW, GetCommandLineA, Beep, FatalAppExitW > USER32.dll: GetSysColorBrush, GetDlgItem, TranslateMessageEx, SendMessageA, DialogBoxParamW, MessageBoxA, IsCharLowerA, DispatchMessageW, GetFocus, GetDlgItemTextW, LoadCursorA, LoadCursorW, ShowWindow, EndDialog, GetClientRect, LoadStringA, GetParent, SendDlgItemMessageA, wsprintfA, CharNextW, wsprintfW, SetWindowLongA, InvalidateRect, SetWindowPos, GetWindowRect, GetDesktopWindow, SetWindowTextA, GetSystemMetrics, ReleaseDC, CreateWindowExW, KillTimer, SetDlgItemInt, PostQuitMessage, SetTimer, DispatchMessageA, EnableWindow, CharNextA, SendMessageW, LoadCursorA, SendDlgItemMessageW, SetWindowLongW ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable MS Visual C++ 4.x (90.7%) Win32 Dynamic Link Library (generic) (5.1%) Win16/32 Executable Delphi generic (1.3%) Generic Win/DOS Executable (1.3%) DOS Executable Generic (1.3%) sigcheck: publisher....: Ohofdkiyxvusgeipnutq Wztwfpwuytdg Pqtvsmuxzruvzxrywblnqsvu copyright....: Nusmuyrpwpnumtvlywvthgnlpwvyos Qsvxqtwybdgilprlzilnbegpsu product......: Gnlsfeidbigqmtsrgelj Wuqexvatgnrpwgeljqps description..: Fmmvxyruwzzypqsvyqtvy original name: n/a internal name: n/a file version.: 8.6.9.6 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned --------------------------------------------------------- Vielen Dank soweit. Ich habe gestern mal AntiVir im kompletten Systemcheck über den Rechner laufen lassen. Ergebnis 57 Funde, davon allerdings 90% Funde aus einem alten Backup-Dateien-Ordnder. Nach der "Reparatur" mit AntiVir bleibt nun die Firewall an, aber Firefox geht immer noch nicht! Vielen Dank für Eure weitere Hilfe! Viele Grüße Sascha |
27.02.2010, 11:23 | #4 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hi, bitte MAM laufen lassen und das Log posten, GMER und danach ein neues HJ-Log... (siehe post von mir...) Du hast mit hoher Wahrscheinlichkeit einen noch unbekannten Trojaner/Backdoor auf dem Rechner, den lt. Virustotal auch AntiVir nicht findet. Falls MAM ihn nicht beseitigt machen wir das per Hand... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
27.02.2010, 20:24 | #5 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hier der MAM-Log als Zwischenbericht. Ich mache dann wie beschrieben mit GMER weiter... Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3799 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 27.02.2010 20:20:19 mbam-log-2010-02-27 (20-20-19).txt Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|I:\|) Durchsuchte Objekte: 344333 Laufzeit: 6 hour(s), 18 minute(s), 24 second(s) Infizierte Speicherprozesse: 1 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 13 Infizierte Registrierungswerte: 1 Infizierte Dateiobjekte der Registrierung: 1 Infizierte Verzeichnisse: 1 Infizierte Dateien: 3 Infizierte Speicherprozesse: C:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Unloaded process successfully. Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenU) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully. Infizierte Dateien: C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully. C:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Delete on reboot. ----------------------------- Vielen Dank und viele Grüße, Sascha |
28.02.2010, 14:01 | #6 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... So, ich habe jetzt seit gestern ca. 5x GMER laufen lassen. Der Scan läuft normal an und arbeitet minuten bzw. stundenlang und stürzt dann jedesmal vor Scanende ab. Der PC startet neu und XP spricht von einem "schwerwiegenden Fehler", der zum Neustart geführt hat. Was ist da los? Firefox funktioniert übrigens mittlerweile wieder. Hier die aktuelle Hikjack-Logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:54:48, on 28.02.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Seagate\SeagateManager\Sync\MaxSync.exe C:\WINDOWS\Explorer.EXE C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE C:\WINDOWS\SPMSMON.EXE C:\Programme\Java\jre6\bin\jusched.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Cherry\KeyMan\KeyMan.exe C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Programme\FreePDF_XP\fpassist.exe C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Programme\Cherry\CDI\cdi.exe C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Programme\SlySoft\CloneCD\CloneCDTray.exe C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Programme\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\agfguard.exe C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CherryKeyMan] "C:\Programme\Cherry\KeyMan\KeyMan.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programme\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini" O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [MMTray] "C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Programme\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: ISDN Guard.lnk = C:\WINDOWS\agfguard.exe O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0 (SP6)) - http://activex.microsoft.com/controls/vb5/comdlg32.cab O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Cherry Device Interface - Cherry, Auerbach Germany, www.cherry.de - C:\Programme\Cherry\CDI\cdi.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\MAGIX\Common\Database\bin\fbserver.exe (file missing) O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Programme\Seagate\SeagateManager\Sync\FreeAgentService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 10186 bytes ----------------------------- Wie soll es nun weitergehen? Vielen Dank für Deine Antwort! Viele Grüße Sascha |
01.03.2010, 07:55 | #7 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hi, da war ein Backdoor drauf, daher alle Passwörter ändern und eigentlich ist jetzt Neuaufsetzen angesagt da nicht nachvollzogen werden kann, was sonst noch alles geändert wurde... Statt GMER: TDSS-Killer Download und Anweisung unter: http://www.trojaner-board.de/82358-tdsskiller-google-umleitungen-tdss-tdl3-alureon-rootkit-entfernen.html#post640150 Entpacke alle Dateien! Start.bat erstellen: Start->alle Programme->Zubehör->Editor und kopiere folgenden Text rein: Code:
ATTFilter @ECHO OFF TDSSKiller.exe -l report.txt -v DEL %0
Wenn TDSSKiller fertig ist poste den Inhalt der report.txt. chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
01.03.2010, 09:40 | #8 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... TDSS-Killer: 09:32:29:156 0560 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25 09:32:29:171 0560 ================================================================================ 09:32:29:171 0560 SystemInfo: 09:32:29:171 0560 OS Version: 5.1.2600 ServicePack: 3.0 09:32:29:171 0560 Product type: Workstation 09:32:29:171 0560 ComputerName: AIR-TOWER 09:32:29:171 0560 UserName: air-sash 09:32:29:171 0560 Windows directory: C:\WINDOWS 09:32:29:171 0560 Processor architecture: Intel x86 09:32:29:171 0560 Number of processors: 1 09:32:29:171 0560 Page size: 0x1000 09:32:29:171 0560 Boot type: Normal boot 09:32:29:171 0560 ================================================================================ 09:32:29:187 0560 UnloadDriverW: NtUnloadDriver error 2 09:32:29:187 0560 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 09:32:29:203 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 09:32:29:296 0560 UtilityInit: KLMD drop and load success 09:32:29:296 0560 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000) 09:32:29:296 0560 UtilityInit: KLMD open success 09:32:29:296 0560 UtilityInit: Initialize success 09:32:29:296 0560 09:32:29:296 0560 Scanning Services ... 09:32:29:296 0560 CreateRegParser: Registry parser init started 09:32:29:296 0560 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127 09:32:29:296 0560 CreateRegParser: DisableWow64Redirection error 09:32:29:296 0560 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 09:32:29:296 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043 09:32:29:296 0560 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 09:32:29:296 0560 wfopen_ex: Trying to KLMD file open 09:32:29:296 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system 09:32:29:296 0560 wfopen_ex: File opened ok (Flags 2) 09:32:29:296 0560 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3848C0 09:32:29:296 0560 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 09:32:29:296 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043 09:32:29:296 0560 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 09:32:29:296 0560 wfopen_ex: Trying to KLMD file open 09:32:29:296 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software 09:32:29:296 0560 wfopen_ex: File opened ok (Flags 2) 09:32:29:296 0560 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384968 09:32:29:296 0560 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127 09:32:29:296 0560 CreateRegParser: EnableWow64Redirection error 09:32:29:296 0560 CreateRegParser: RegParser init completed 09:32:29:765 0560 GetAdvancedServicesInfo: Raw services enum returned 307 services 09:32:29:765 0560 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 09:32:29:765 0560 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 09:32:29:765 0560 09:32:29:765 0560 Scanning Kernel memory ... 09:32:29:765 0560 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 09:32:29:765 0560 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82F58A08 09:32:29:765 0560 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects 09:32:29:765 0560 09:32:29:765 0560 DetectCureTDL3: DEVICE_OBJECT: 82B83C68 09:32:29:765 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B83C68 09:32:29:765 0560 KLMD_ReadMem: Trying to ReadMemory 0x82B83C68[0x38] 09:32:29:765 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08 09:32:29:765 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8] 09:32:29:765 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18] 09:32:29:765 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 09:32:29:765 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0 09:32:29:765 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0 09:32:29:765 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F 09:32:29:765 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F 09:32:29:765 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2 09:32:29:765 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB 09:32:29:765 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28 09:32:29:765 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2 09:32:29:765 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82 09:32:29:765 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:765 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:765 0560 TDL3_FileDetect: Processing driver: Disk 09:32:29:765 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:765 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:796 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 09:32:29:796 0560 09:32:29:796 0560 DetectCureTDL3: DEVICE_OBJECT: 82E71AB8 09:32:29:796 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82E71AB8 09:32:29:796 0560 DetectCureTDL3: DEVICE_OBJECT: 82EC0D70 09:32:29:796 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82EC0D70 09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0x82EC0D70[0x38] 09:32:29:796 0560 DetectCureTDL3: DRIVER_OBJECT: 82ED4A58 09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0x82ED4A58[0xA8] 09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0xE15E9260[0x1E] 09:32:29:796 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR 09:32:29:796 0560 DetectCureTDL3: IrpHandler (0) addr: F8A2A218 09:32:29:796 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (2) addr: F8A2A218 09:32:29:796 0560 DetectCureTDL3: IrpHandler (3) addr: F8A2A23C 09:32:29:796 0560 DetectCureTDL3: IrpHandler (4) addr: F8A2A23C 09:32:29:796 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (9) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (14) addr: F8A2A180 09:32:29:796 0560 DetectCureTDL3: IrpHandler (15) addr: F8A259E6 09:32:29:796 0560 DetectCureTDL3: IrpHandler (16) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (22) addr: F8A295F0 09:32:29:796 0560 DetectCureTDL3: IrpHandler (23) addr: F8A27A6E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:796 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:796 0560 KLMD_ReadMem: Trying to ReadMemory 0xF8A26F26[0x400] 09:32:29:796 0560 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 09:32:29:796 0560 TDL3_FileDetect: Processing driver: USBSTOR 09:32:29:796 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 09:32:29:796 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 09:32:29:812 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 09:32:29:812 0560 09:32:29:812 0560 DetectCureTDL3: DEVICE_OBJECT: 82F759F0 09:32:29:812 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F759F0 09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F759F0[0x38] 09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08 09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8] 09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18] 09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 09:32:29:812 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0 09:32:29:812 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0 09:32:29:812 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F 09:32:29:812 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F 09:32:29:812 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2 09:32:29:812 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB 09:32:29:812 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28 09:32:29:812 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2 09:32:29:812 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82 09:32:29:812 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:812 0560 TDL3_FileDetect: Processing driver: Disk 09:32:29:812 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:812 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:812 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 09:32:29:812 0560 09:32:29:812 0560 DetectCureTDL3: DEVICE_OBJECT: 82F55C68 09:32:29:812 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F55C68 09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F55C68[0x38] 09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08 09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8] 09:32:29:812 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18] 09:32:29:812 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 09:32:29:812 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0 09:32:29:812 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0 09:32:29:812 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F 09:32:29:812 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F 09:32:29:812 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2 09:32:29:812 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB 09:32:29:812 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28 09:32:29:812 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2 09:32:29:812 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:812 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82 09:32:29:828 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:828 0560 TDL3_FileDetect: Processing driver: Disk 09:32:29:828 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:828 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:828 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 09:32:29:828 0560 09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82F9CC68 09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F9CC68 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F9CC68[0x38] 09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT: 82F58A08 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F58A08[0xA8] 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0xE101D858[0x18] 09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 09:32:29:828 0560 DetectCureTDL3: IrpHandler (0) addr: F87BBBB0 09:32:29:828 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (2) addr: F87BBBB0 09:32:29:828 0560 DetectCureTDL3: IrpHandler (3) addr: F87B5D1F 09:32:29:828 0560 DetectCureTDL3: IrpHandler (4) addr: F87B5D1F 09:32:29:828 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (9) addr: F87B62E2 09:32:29:828 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (14) addr: F87B63BB 09:32:29:828 0560 DetectCureTDL3: IrpHandler (15) addr: F87B9F28 09:32:29:828 0560 DetectCureTDL3: IrpHandler (16) addr: F87B62E2 09:32:29:828 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (22) addr: F87B7C82 09:32:29:828 0560 DetectCureTDL3: IrpHandler (23) addr: F87BC99E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:828 0560 TDL3_FileDetect: Processing driver: Disk 09:32:29:828 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:828 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 09:32:29:828 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 09:32:29:828 0560 09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82F9DAB8 09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F9DAB8 09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82FCD9E8 09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCD9E8 09:32:29:828 0560 DetectCureTDL3: DEVICE_OBJECT: 82F7DD98 09:32:29:828 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F7DD98 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F7DD98[0x38] 09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT: 82FA0C28 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0x82FA0C28[0xA8] 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0xE15FE368[0x1A] 09:32:29:828 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 09:32:29:828 0560 DetectCureTDL3: IrpHandler (0) addr: F86E76F2 09:32:29:828 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (2) addr: F86E76F2 09:32:29:828 0560 DetectCureTDL3: IrpHandler (3) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (4) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (9) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (14) addr: F86E7712 09:32:29:828 0560 DetectCureTDL3: IrpHandler (15) addr: F86E3852 09:32:29:828 0560 DetectCureTDL3: IrpHandler (16) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (22) addr: F86E773C 09:32:29:828 0560 DetectCureTDL3: IrpHandler (23) addr: F86EE336 09:32:29:828 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:828 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:828 0560 KLMD_ReadMem: Trying to ReadMemory 0xF86E4864[0x400] 09:32:29:828 0560 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 09:32:29:828 0560 TDL3_FileDetect: Processing driver: atapi 09:32:29:828 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 09:32:29:828 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys 09:32:29:843 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean 09:32:29:843 0560 09:32:29:843 0560 DetectCureTDL3: DEVICE_OBJECT: 82F65AB8 09:32:29:843 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F65AB8 09:32:29:843 0560 DetectCureTDL3: DEVICE_OBJECT: 82FCEF18 09:32:29:843 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82FCEF18 09:32:29:843 0560 DetectCureTDL3: DEVICE_OBJECT: 82F59D98 09:32:29:843 0560 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82F59D98 09:32:29:843 0560 KLMD_ReadMem: Trying to ReadMemory 0x82F59D98[0x38] 09:32:29:843 0560 DetectCureTDL3: DRIVER_OBJECT: 82FA0C28 09:32:29:843 0560 KLMD_ReadMem: Trying to ReadMemory 0x82FA0C28[0xA8] 09:32:29:843 0560 KLMD_ReadMem: Trying to ReadMemory 0xE15FE368[0x1A] 09:32:29:843 0560 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 09:32:29:843 0560 DetectCureTDL3: IrpHandler (0) addr: F86E76F2 09:32:29:843 0560 DetectCureTDL3: IrpHandler (1) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (2) addr: F86E76F2 09:32:29:843 0560 DetectCureTDL3: IrpHandler (3) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (4) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (5) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (6) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (7) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (8) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (9) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (10) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (11) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (12) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (13) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (14) addr: F86E7712 09:32:29:843 0560 DetectCureTDL3: IrpHandler (15) addr: F86E3852 09:32:29:843 0560 DetectCureTDL3: IrpHandler (16) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (17) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (18) addr: 804FA88E 09:32:29:843 0560 DetectCureTDL3: IrpHandler (19) addr: 804FA88E 09:32:29:859 0560 DetectCureTDL3: IrpHandler (20) addr: 804FA88E 09:32:29:859 0560 DetectCureTDL3: IrpHandler (21) addr: 804FA88E 09:32:29:859 0560 DetectCureTDL3: IrpHandler (22) addr: F86E773C 09:32:29:859 0560 DetectCureTDL3: IrpHandler (23) addr: F86EE336 09:32:29:859 0560 DetectCureTDL3: IrpHandler (24) addr: 804FA88E 09:32:29:859 0560 DetectCureTDL3: IrpHandler (25) addr: 804FA88E 09:32:29:859 0560 DetectCureTDL3: IrpHandler (26) addr: 804FA88E 09:32:29:859 0560 KLMD_ReadMem: Trying to ReadMemory 0xF86E4864[0x400] 09:32:29:859 0560 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 09:32:29:859 0560 TDL3_FileDetect: Processing driver: atapi 09:32:29:859 0560 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 09:32:29:859 0560 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys 09:32:29:859 0560 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean 09:32:29:859 0560 09:32:29:859 0560 Completed 09:32:29:859 0560 09:32:29:859 0560 Results: 09:32:29:859 0560 Memory objects infected / cured / cured on reboot: 0 / 0 / 0 09:32:29:859 0560 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 09:32:29:859 0560 File objects infected / cured / cured on reboot: 0 / 0 / 0 09:32:29:859 0560 09:32:29:859 0560 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 09:32:29:859 0560 UtilityDeinit: KLMD(ARK) unloaded successfully ---------------------------------------------------- Vielen Dank für die schnelle und kompetente Hilfe, Chris! Werde Neuaufsetzen, wenn mein Kumpel aus dem Urlaub wieder da ist. Muss ich bis dahin oder überhaupt noch etwas beachten? Mich würde auch interessieren, wie der Trojaner gekommen sein könnte. Ich halte AntiVir immer aktuell und bin recht vorsichtig - habe allerdings einen Verdacht: Für ein online E-Learning musste ich meinen Pop-Up-Blockierer (Firefox) ausstellen. Könnte das der Grund der Infizierung gewesen sein? Nochmal Danke und viele Grüße, Sascha |
01.03.2010, 13:19 | #9 |
| PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... Hi, wie der Trojaner drauf gekommen ist, kann ich dir nicht sagen, die meisten Sachen werden vom User runtergeladen, manches auch per Drive-by-download... Sicherheitsrelevante Sachen würde ich nicht mehr auf dem Rechner machen (z.B. Homebanking)... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
Themen zu PC-Apokalypse: Firewall Deaktivierung, Firefox defekt, AntiVir Meldungen... |
adobe, antivir, antivir guard, avira, bho, bonjour, canon, desktop, e-banking, einstellungen, excel, explorer, firefox, firewall, google, hijackthis, hkus\s-1-5-18, internet, internet explorer, launch, magix, neu aufsetzen, neustart, nvidia, object, pdfcreator, plug-ins, pop-up, programme, rundll, server, software, system, system neu, system neu aufsetzen, userinit.exe, windows xp, windows-firewall |